I reviewed source of Modeshape 5.4.1 and found than the ModesShapes doesn't use security in getting any properties. In other worlds, If someone know URL anyone can get file without call my AdvancedAuthorizationProvider

The question: this behavior expected or this is backdoor? If this error should someone create Jira issue?